Most Popular Posts

11/02/2014

How to disable remote shutdown in Tomcat (secure)

How to disable remote shutdown in Tomcat

Examples:
  • change the port number from default to different one (not recommended)
  • change the shutdown command (partially recommended)
  • change port number to -1 (recommended)
By default Tomcat listens on port 8005 for SHUTDOWN command. When such message is received, all applications within this context are shutdown. By default it is bound to loopback interface, though not accessible from external network. For security reasons I’d strongly advise to disable this functionality if it is not needed, just in case some user might shutdown the service on purpose or by accident.
We can find this definition in the server.xml file
$CATALINA_HOME/conf/server.xml

<Server port="8005" shutdown="SHUTDOWN">
You might have ‘address’ variable in this line. This indicates possible usage of multiple NIC (http://en.wikipedia.org/wiki/Network_interface_controller

We can prevent shutting down on specific port by changing these values.
EXAMPLE 1:

Change the settings in the server.xml file from:
<Server port="8005" shutdown="SHUTDOWN">
To:
<Server port="8008" shutdown="SECRETCOMMAND">
From now on, only SECRETCOMMAND command will shutdown the instance. All other commands (including SHUTDOWN) will fail.
Result:


[me@me ~]$ telnet 192.168.1.3 8005
Trying 192.168.1.3...
Connected to 192.168.1.3.
Escape character is '^]'.
SHUTDOWN
Connection closed by foreign host.
Response (by default- catalina.out file) :
WARNING: StandardServer.await: Invalid command 'SHUTDOWN' received



EXAMPLE 2: 

Change the settings in the server.xml file from:
<Server port="8005" shutdown="SHUTDOWN">
To 
<Server port="8001" shutdown="SHUTDOWN">
From now on only SHUTDOWN command issued on port 8001 (if not used by other application) will shutdown the instance. Port 8005 will not be used by this instance. 

Result: 




[me@me ~]$ telnet 192.168.1.3 8005
Trying 192.168.1.3...
telnet: connect to address 192.168.1.3: Connection refused



EXAMPLE 3 (recommended): 

Change the settings in the server.xml file from:

<Server port="8005" shutdown="SHUTDOWN">
To
<Server port="-1" shutdown="SHUTDOWN">
This will disable SHUTDOWN service/ command for good :)

Result:
[me@me ~]$ telnet 192.168.1.3 8005
Trying 192.168.1.3...
telnet: connect to address 192.168.1.3: Connection refused

Author: at 24 comments:
Labels: , , , , ,

AJP (Liferay/ Tomcat) no response fix

https://github.com/wheelq/AJP.Stats

Description of the issue

When using Liferay on Tomcat + Apache/nginx you might experience a small Denial Of Service from time to time. In the most cases the issue is in Tomcat's configuration, well to be more precise - in lack of the configuration ;)

When defining an AJP connector on port 8009:

<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" address="10.0.1.2" URIEncoding="UTF-8">

People often miss one important setting -connectiontimeout andkeepAlivetimeout.

Solution

connectiontimeout - is the number of milliseconds Connector will wait, after accepting a connection, for the request URI to be presented. If no value is defined, then the value becomes: -1 (i.e. infinite).

KeepAliveTimeout - is the number of milliseconds Connector will wait for another AJP request before closing the connection. The default value is to use the value that has been set for the connectiontimeout attribute.

Lack of this configuration might cause the DOS (Denial Of Service) of the application itself. Once you have fixed this problem be defining the settings mentioned above you might want to monitor number of connections to your application/Liferay and see if there is a high number of connections maintained or not.

AJP.Stats

That is why I have created small, not really intelligent, very slow, but working script to make your life easier :)

ENJOY! :)

https://github.com/wheelq/AJP.Stats


Author: at 1 comment:
Labels: , , , , , ,

09/02/2014

mod_unique_id unable to find IPv4 address - IBM HTTP Server not starting

There might be several causes of this issue, why after starting the IHS there is no process running in the system.

# ./apachectl start
#ps -ef | grep httpd
#
No errors thrown, no process running. Even config test runs fine:
$./apachectl configtest
Syntax OK


We could check if it is SELinux issue, but we will check the logs first:

#tail error_log
[Sun Feb 09 17:31:40 2014] [alert] (EAI 2)Name or service not known: mod_unique_id: unable to find IPv4 address of "test0"
The main reason for that is most probably your hostname is not defined in the /etc/hosts file.

Either you have to change your hostname to "localhost" or add the "test0" to the /etc/hosts file.
Author: at 1 comment:
Labels: , , , ,

27/08/2013

Garbage Collectors - IBM JVM

TL;DR

 -Xgcpolicy:gencon (default in V8)-Xgcpolicy:optthruput (previously default)
-Xgcpolicy:optavgpause
-Xgcpolicy:balanced



Details:

 Garbage collector in IBM JVM, just as other GCs collects unused, dead, objects from the heap in order to recover some memory so it is able to allocate new objects on the heap. IBM JVM provides several GC algorithms:
  • -Xgcpolicy:gencon
    • Unused objects are removed, and the survivors are allocated in survivor spaces. After some time it is promoted to the Tenure space.
  • -Xgcpolicy:optthruput (previously default)
    • This algorithm works as MSC (Mark-Sweep-Compact). This means in the first run collector marks live objects, in the second run sweeps unused objects, and compacts the free space. This is being done in parallel. MSC process differs between different JVMs.
  • -Xgcpolicy:optavgpause
    • This policy can be used when the application can't tolerate long pauses in exchange for overall throughput. System tries to determine when next GC would be needed and then runs concurrent GC. before allocating new objects, some GC would be done.
  • -Xgcpolicy:balanced
    • This is a new in V8 collector policy. different regions of a heap map are dealt individually. More information soon




Read more on:
http://publib.boulder.ibm.com/infocenter/javasdk/v6r0/index.jsp?topic=%2Fcom.ibm.java.doc.diagnostics.60%2Fdiag%2Fappendixes%2Fcmdline%2Fcommands_gc.html

Author: at No comments:
Labels: , , , , ,

Garbage Collection Options and Functions


Garbage collection options:

 In addition to one of the previous posts regarding memory management options in various JVMs, now it is time to present some options for the GC (Garbage Collector)

Select specific collector:
  • -XX:+UseSerialGC
  • -XX:+UseParallelGC
  • -XX:+UseParallelOldGC (combine with -XX:+UseParallelGC)
  • -XX:+UseConcMarkSweepGC
  • -Xnoclassgc is to disable garbage collection for permanent generation

Tune the Parallel GC:
  • -XX:ParallelGCThreads=n - limit parallel threads by 'n'
  • -XX:MaxGCPauseMilis=n - limit pause in miliseconds
  • -XX:GCTimeRatio=n - throughput (percentage of CPU time spent on application
Increase debug level:

  • -XX:+PrintGC - get basic information
  • -XX:+PrintGCDetails - get verbose information
  • -XX:+PrintGCTimeStamps - add timestamps
  • -XX:+HeapDumpOnOutOfMemoryError very useful :)

Author: at No comments:
Labels: , , ,
Subscribe to: Posts (Atom)